<p>Using unencrypted RDS DB resources exposes data to unauthorized access.<br> This includes database data, logs, automatic backups, read replicas,
snapshots, and cluster metadata.</p>
<p>This situation can occur in a variety of scenarios, such as:</p>
<ul>
  <li> A malicious insider working at the cloud provider gains physical access to the storage device. </li>
  <li> Unknown attackers penetrate the cloud provider’s logical infrastructure and systems. </li>
</ul>
<p>After a successful intrusion, the underlying applications are exposed to:</p>
<ul>
  <li> theft of intellectual property and/or personal data </li>
  <li> extortion </li>
  <li> denial of services and security bypasses via data corruption or deletion </li>
</ul>
<p>AWS-managed encryption at rest reduces this risk with a simple switch.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The database contains sensitive data that could cause harm when leaked. </li>
  <li> There are compliance requirements for the service to store data encrypted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>It is recommended to enable encryption at rest on any RDS DB resource, regardless of the engine.<br> In any case, no further maintenance is
required as encryption at rest is fully managed by AWS.</p>
<h2>Sensitive Code Example</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html"><code>aws-cdk-lib.aws_rds.CfnDBCluster</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

new rds.CfnDBCluster(this, 'example', {
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html"><code>aws-cdk-lib.aws_rds.CfnDBInstance</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

new rds.CfnDBInstance(this, 'example', {
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html"><code>aws-cdk-lib.aws_rds.DatabaseCluster</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';
import { aws_ec2 as ec2 } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

const cluster = new rds.DatabaseCluster(this, 'example', {
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
  instanceProps: {
    vpcSubnets: {
      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
    },
    vpc,
  },
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html"><code>aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

new rds.DatabaseClusterFromSnapshot(this, 'example', {
  engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
  instanceProps: {
    vpc,
  },
  snapshotIdentifier: 'exampleSnapshot',
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html"><code>aws-cdk-lib.aws_rds.DatabaseInstance</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

new rds.DatabaseInstance(this, 'example', {
  engine: rds.DatabaseInstanceEngine.POSTGRES,
  vpc,
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html"><code>aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const sourceInstance: rds.DatabaseInstance;

new rds.DatabaseInstanceReadReplica(this, 'example', {
  sourceDatabaseInstance: sourceInstance,
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
  vpc,
  storageEncrypted: false, // Sensitive
});
</pre>
<h2>Compliant Solution</h2>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBCluster.html"><code>aws-cdk-lib.aws_rds.CfnDBCluster</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

new rds.CfnDBCluster(this, 'example', {
  storageEncrypted: true,
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html"><code>aws-cdk-lib.aws_rds.CfnDBInstance</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

new rds.CfnDBInstance(this, 'example', {
  storageEncrypted: true,
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseCluster.html"><code>aws-cdk-lib.aws_rds.DatabaseCluster</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

const cluster = new rds.DatabaseCluster(this, 'example', {
  engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }),
  instanceProps: {
    vpcSubnets: {
      subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
    },
    vpc,
  },
  storageEncrypted: false, // Sensitive
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot.html"><code>aws-cdk-lib.aws_rds.DatabaseClusterFromSnapshot</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

new rds.DatabaseClusterFromSnapshot(this, 'example', {
  engine: rds.DatabaseClusterEngine.aurora({ version: rds.AuroraEngineVersion.VER_1_22_2 }),
  instanceProps: {
    vpc,
  },
  snapshotIdentifier: 'exampleSnapshot',
  storageEncrypted: true,
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html"><code>aws-cdk-lib.aws_rds.DatabaseInstance</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;

new rds.DatabaseInstance(this, 'example', {
  engine: rds.DatabaseInstanceEngine.POSTGRES,
  vpc,
  storageEncrypted: true,
});
</pre>
<p>For <a
href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica.html"><code>aws-cdk-lib.aws_rds.DatabaseInstanceReadReplica</code></a>:</p>
<pre>
import { aws_rds as rds } from 'aws-cdk-lib';

declare const sourceInstance: rds.DatabaseInstance;

new rds.DatabaseInstanceReadReplica(this, 'example', {
  sourceDatabaseInstance: sourceInstance,
  instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.LARGE),
  vpc,
  storageEncrypted: true,
});
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html">AWS Documentation</a> - Encrypting Amazon RDS
  resources </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/311">CWE-311 - Missing Encryption of Sensitive Data</a> </li>
  <li> STIG Viewer - <a href="https://stigviewer.com/stigs/application_security_and_development/2024-12-06/finding/V-222588">Application Security and
  Development: V-222588</a> - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
  rest. </li>
</ul>
